In many ways, security awareness training exemplifies the way information security is seen and tackled by senior management.

A once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security. It is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic – arguably condescending- advice.

But times are changing. The threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims. From exploit kits and Trojans to ransomware, phishing and social engineering scams – the criminal game has moved on.

The information security industry has recognized this, calling for an end to prevention-focused defenses, and more focus on response. But surely that means that security training must change in turn?

Still a low priority

There’s a debate to be had on how seriously Chief Information Security Officers (CISO) or Chief Security Officers (CSO) are taking security training – and how well they’re doing it.

One study, commissioned by ClubCISO last year, found that 21 percent of CISOs had ‘never’ given security training, with a further 21 percent indicating that they only did so when new staff joined the company. Thirty-seven percent said they carried out training on an annual basis and another 21 percent agreed that this was carried out “frequently”.

More than half (52 percent) of the surveyed CISOs admitted that their security awareness training programs had ‘no measure of effectiveness', while 24 percent said that they relied on online testing. A further 14 percent said they had an after-training test, with a well-prepared 10 percent measuring incident and support call volumes before and after training.

“Business are finally understanding they need to make staff part of the defensive posture, rather than just throwing money at product. Historically, it’s been something that staff members have to attend, that they hate doing, and almost do with the same mind-set as health and safety training. This is not really a 21st century solution.”

“That’s not hacking it anymore, because two days later everyone has forgotten everything.”

Board buy-in is a must

It is clear that establishing a positive training program must start with board backing.

Wood says that it is pivotal to establishing a security culture to get training right, while independent pen tester and social engineering expert Richard De Vere calls for a more direct approach. “Get the board involved and shout until you are blue in the face because it's what they are paying you for.”

Some take bolder steps; one company sent simulated email attacks to board members before presenting to them on the same topic. Several of the board clicked on the links, and the bold CISO got his approval to send these links to end users - and provide follow-up training as required.

Red-teaming, gamification and more

Getting board support is crucial for funding, resources and the right culture. But how should training take form? Should it be online, in-person, and how do you shape this program in the first place?

Wood says proactive companies should first do red teaming exercises to work out their potential areas of compromise, so they can shape the program and address the specific risks to the business.

He tells CSO Online the story of one UK-based life sciences company, whose head of information sector hired First Base to build a ‘storyboard’ of an attack. Wood’s pen testers researched the company, found out that one threat actor would be organized crime, and discovered how these hackers would try and get information. From phishing emails and malware to on-site attacks via USB dongles, Wood says there were numerous weak points in the organization.

“What came out at the end wasn’t just a set of recommendations of how to fix this, but we also made sure to film it so they had visual evidence of us wandering around where we shouldn’t have been. They took this and made a training awareness program out of it, and they delivered it to the staff across the world as a story.”

That sort of imaginative approach to the problem is what’s needed, rather than taking a classroom-based approach.

De Vere urges: “Training shouldn't be patchy. Pick a good platform and provider and stick to it. Staff have a hard enough task as it is learning all the ways in which they pose a risk to security without misinformation or gaping holes in knowledge. If you don't have a social engineering training platform yet, get one.

“Staff should be considered 'responsible' for a breach in security but in return you have to bend over backwards to provide everything they need for support. If they fail, pat them on the back and sign them up for more training.”

Sjouwerman says its three-step process from establishing a baseline test, finding the results and training “everyone from the mailroom to the boardroom.” Tests, he says, must be done on a regular basis to keep employees interested and learning.

The experts are mixed on the new trend for ‘gamifying’ training, though. Sjouwerman says that phishing games between departments can drive lower click rates, but Wood stresses that it must not be a gimmick, and must be joined up with an existing program.

Next year his firm is working with a UK charity to build red teaming exercises into their annual conferences. “People do enjoy it,” he says.

Incentive the users

Wood admits that the biggest challenge is continuing the program, making it year round, something he says requires time and money. In the ideal world, he says each business should have security evangelists keeping up with the threats, and thinking creatively how training should take place.

Media reports can be used to keep a buzz around security, especially if breaches are local or industry-relevant.

The experts argue too that you can incentive employees on training. Some say if you use a phishing reporting tool, or have some other way of measuring end-user security awareness; you could award top employees with a gift at a company gathering. It's a positive way of recognizing excellence and reinforcing behavior.

Sjouwerman sees advantages to both the ‘carrot’ and ‘the stick approach’, but advises CISOs to enlighten employees on how this knowledge can be used at home for their own personal security.

Richard Starnes, CISO at the Kentucky Health Cooperative, agrees and tells CSO: “In my company’s awareness program, we break down the skills and relate them to things you would do to protect yourself at home.

“Show someone how to keep their children safe online at home and those skills easily translate to make your company safer at work.”

Starnes, who urges CISOs to establish KPIs to establish training effectiveness, adds: “There cannot be a culture of blame. I would rather have someone recognize they have made a mistake and notify security. If they do not notify security because they are concerned they may be punished, your awareness program has failed at the worst possible time.”